Would-be vibe coders looking to experiment with Claude Code are being targeted by malicious install guide websites that pop up in Google search results and install malware when executed.
Dubbed InstallFix by Push Security, the scheme is a modification of the ClickFix social engineering scam. It inserts instructions to download malware during the Claude Code install process on cloned websites. The attack bypasses many standard malware protections because the user initiates it. Where that often requires the user to open a run dialogue box or perform a CAPTCHA check, InstallFix adds a dodgy URL to an install guide you already trust, making it easy to slip up.
Adding an extra wrinkle is that InstallFix is showing up in Google results as sponsored links when searching for “Claude Code.”
Ideally, you’d avoid pasting URLs you find in guides (or anywhere), but it’s not uncommon to see this when installing some tools online. Indeed, the legitimate Claude Code install site asks you to do just that (this is the real one, check the URL). It’s this curl-to-bash command shown in the image below that causes so many problems when pasted into your terminal and actioned.
As Push Security describes, the cloned sites look nearly identical to the real thing, with the same logos, layout, and functioning links. But if you check the instructions, you’ll see the URLs for downloading files point to an attacker-controlled server that can download anything it likes, often without tripping your anti-malware software.
As with many modern malware attacks, this one is multipronged as well. When you run the download command, it installs an executable that then downloads more malware from a remote URL. It appears to be related to the Amatera Stealer malware and primarily targets user data, grabbing passwords, cookies, and session tokens. It’s also hard to delete.
Although this particular campaign targets Claude Code, InstallFix scams are growing in number and are likely to proliferate further as AI tools attract users looking to vibe code for the first time.
Be careful out there. Check the URLs of the sites you’re visiting, and be extra wary when copying and pasting anything into a terminal from a website you don’t know much about.
About Our Expert
Jon Martindale is a tech journalist from the UK, with 20 years of experience covering all manner of PC components and associated gadgets. He’s written for a range of publications, including ExtremeTech, Digital Trends, Forbes, U.S. News & World Report, and Lifewire, among others. When not writing, he’s a big board gamer and reader, with a particular habit of speed-reading through long manga sagas.
Jon covers the latest PC components, as well as how-to guides on everything from how to take a screenshot to how to set up your cryptocurrency wallet. He particularly enjoys the battles between the top tech giants in CPUs and GPUs, and tries his best not to take sides.
Jon’s gaming PC is built around the iconic 7950X3D CPU, with a 7900XTX backing it up. That’s all the power he needs to play lightweight indie and casual games, as well as more demanding sim titles like Kerbal Space Program. He uses a pair of Jabra Active 8 earbuds and a SteelSeries Arctis Pro wireless headset, and types all day on a Logitech G915 mechanical keyboard.
-
Here’s What 2 Years of QD-OLED Monitor Burn-In Looks Like
-
TCL Tips Mini LED Gaming Monitor That Can Hit 1,040Hz Refresh Rate
-
NASA Targets April 1 for Delayed Artemis II Lunar Flyby
-
Nvidia Turns Its AI Ambitions Toward 6G, Argues It Should Be Open Source
-
Developer Uses Older AMD GPU for Game Demo, and the Results Are Impressive
-
More from Jon Martindale
